[Samba] Mounting Samba shares with Kerberos

Rowland Penny rpenny at samba.org
Tue Jan 16 09:51:34 UTC 2024


On Tue, 16 Jan 2024 08:25:34 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:

> 
> Bonus question:
> can I make this work with SSH as well?

Yes.

> As we now know, Kerberos is configured correctly on my computer, as I
> can access Samba shares. Perfect! Now it would be phantastic if the
> Kerberos ticket can also be used for SSH authentication. I have
> tested this, but also, no success. I tried to debug but I lack some
> Kerberos experience, therefore I cannot judge but at first sight, it
> seems to work, but in the end, asks for a password anyways. Possible
> to fix?

Oh, you want to know how to do it :-)

CLIENT:

/etc/ssh/ssh_config

Host *
#   PasswordAuthentication no
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    GSSAPIRenewalForcesRekey yes

Host *.samdom.example.com
    # It's best to limit this option to only trusted hosts:
    GSSAPIDelegateCredentials yes

/etc/ssh/sshd_config

SyslogFacility AUTH
LogLevel INFO
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yesCLIENT:

/etc/ssh/ssh_config

Host *
#   PasswordAuthentication no
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    GSSAPIRenewalForcesRekey yes

Host *.samdom.example.com
    # It's best to limit this option to only trusted hosts:
    GSSAPIDelegateCredentials yes

/etc/ssh/sshd_config

SyslogFacility AUTH
LogLevel INFO
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*ucs samba
Subsystem	sftp	/usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

SERVER:

/etc/ssh/ssh_config

Include /etc/ssh/ssh_config.d/*.conf

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

/etc/ssh/sshd_config

Include /etc/ssh/sshd_config.d/*.conf

Port 22
SyslogFacility AUTH
LogLevel INFO
PubkeyAuthentication no
PasswordAuthentication no

GSSAPIAuthentication yes
GSSAPIKeyExchange yes

UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server
PrintMotd no
AcceptEnv LANG LC_*ucs samba
Subsystem	sftp	/usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

SERVER:

/etc/ssh/ssh_config

Include /etc/ssh/ssh_config.d/*.conf

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

/etc/ssh/sshd_config

Include /etc/ssh/sshd_config.d/*.conf

Port 22
SyslogFacility AUTH
LogLevel INFO
PubkeyAuthentication no
PasswordAuthentication no

GSSAPIAuthentication yes
GSSAPIKeyExchange yes

UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem	sftp	/usr/lib/openssh/sftp-server

Rowland



More information about the samba mailing list